要描述:0 ]. Y1 L/ k4 W B
! x, B/ A- ~. g9 V9 q
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
: P" R6 g3 U4 G% }2 Y& `详细说明:9 m6 j) M7 A2 X7 t1 U
Islogin //判断登录的方法. V1 |. B4 ^, `
. b+ f! [6 Y& f# k7 isub islogin()
3 a7 {) ]+ X6 q! T0 s+ R0 G& R3 ` % f! [# m- m7 w/ o$ g) V2 x9 @2 }
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then " u# h) }& m; U+ e8 H4 g+ j
1 b/ v- k m: K8 O6 wdim t0,t1,t2 8 v/ P" U2 i% z* S
! W: W0 z' {3 b. z
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 6 M& f% w7 x4 S4 G2 j
: d! V; ^0 P3 S) g+ M& h: @
t1=sdcms.loadcookie("islogin")8 |4 i+ Y% b) n; Z# G
x8 ~5 S) L4 a$ ]/ S$ B$ e/ _t2=sdcms.loadcookie("loginkey")
) ?+ i0 `9 Z6 P( p
' w! S3 X* _/ Mif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
; b- G Z6 d3 O" l0 ^/ ~
4 k& f0 T4 J" B! d' l( ~- I//
8 L | ]! F: m+ R5 K+ O7 p$ b2 t & W; r2 D. E9 V5 W, J9 V/ V( J; P2 Z
sdcms.go "login.asp?act=out"( K' f9 e+ I# b
, l0 A4 F3 u4 q3 _# k% C" x
exit sub) j3 v4 y9 N8 m' f7 U- K) E
3 @9 P# v: I5 m5 I
else, i# b4 D6 C. k- j4 x
, ?1 W. j6 X: N6 v6 S
dim data+ I# Q* q7 U3 h/ v+ `
9 v: C8 h2 |, |' r5 F
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控! i8 r2 n+ V4 D2 i' T) ?
4 Z0 E7 |: Y6 k. P% Jif ubound(data)<0 then
! L* ?; _7 H+ t7 B) o o1 k9 s
* @! R4 ?! ]- O" Lsdcms.go "login.asp?act=out"
; g1 r% D9 `4 \( ~2 H$ O
3 c2 J: g `- K* iexit sub
, D% A+ I1 z1 V # }% d- \; r# m& a4 O! z
else
+ y# F4 S H H( Q' G; n: G
: [+ ]* o* ~# `if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then( p8 \. \0 Q" n) T' `
9 d0 H* D8 ~2 j0 I
sdcms.go "login.asp?act=out"$ X% y" ~# Y R! U6 f
, {2 G& h( J o$ @' K' Z! mexit sub$ q2 x8 e/ F$ |: c4 m
5 m* h- |6 x& g% N8 {4 jelse0 i1 O- U7 h/ K$ K
% k1 O# s6 g5 n4 `6 A8 Q
adminid=data(0,0)7 y/ g! h" _$ B0 Y7 ~4 V% V
/ T Q# ]# C$ {: C) ^6 I) s" Ladminname=data(1,0)( H# t1 T3 w8 D3 N
+ k3 ~% W" g" f0 D7 P+ f
admin_page_lever=data(5,0)( }( C3 ]- j# m0 ~7 A
% m* R9 i- [$ A; ~6 _3 eadmin_cate_array=data(6,0)( S, [( v8 {" d0 I
, h4 O. k/ l5 Y
admin_cate_lever=data(7,0)) [: ^7 {0 V8 N7 ~
. }1 l+ s& E& R5 dif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
8 I& u- k; g/ }. y9 N. p8 E5 V
6 ?: t' I) B7 @, {- N7 s3 Yif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
8 W% C1 `& G. `8 ^ 9 j) j. `# U, }4 j
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=05 J* O, E' K8 ]: ]( ?8 N. @
5 s" `5 t/ ? v( C- v" A8 n$ J7 b
if clng(admingroupid)<>0 then
6 A& I4 O5 Q1 V. H% Z* |* w " D# Z; i& N" s `% \ d3 o2 ^7 f
admin_lever_where=" and menuid in("&admin_page_lever&")"
& @" ~' |9 L9 l$ a2 R! T$ A; s
9 @6 T; U7 n, N( v( O* _2 f5 Hend if
! J" ^/ G( r4 k/ @. Y' D0 r! \
/ L3 a5 Q& ]$ fsdcms.setsession "adminid",adminid
: g3 L1 q; e7 ^$ L7 F k! D: C- ]5 N$ Y2 U% @0 k6 C
sdcms.setsession "adminname",adminname2 e- _0 h& H5 P
( `' L% w% L: ?. l
sdcms.setsession "admingroupid",data(4,0)" s9 F7 R7 ]0 z. K
6 R7 ^" D5 t+ }end if
0 V$ u M2 }( j" c * s; V1 T; G) r# o: P6 t6 `* h, `
end if
3 X& w, j: s, j* u+ ?4 W0 _" F
+ D6 T+ @7 {/ hend if
) }9 h3 [$ J; M* i
4 t2 h& B% p- Aelse9 [; q7 P% E" J+ N" k0 c. Q
}- T: \+ Z* k
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")6 b4 n4 |8 U; ?( {/ ?
( m4 O3 l- D! l) d0 yif ubound(data)<0 then# p4 q4 p" F7 Z& ]2 R$ q
" f6 d2 ~" k: b, f( Z, O! u) u
sdcms.go "login.asp?act=out"
7 h5 i$ k+ U* y+ L" y7 N/ o6 `
0 W0 M( x E8 ?exit sub! _% ?, {# j9 m( x
( v; G0 h1 I D: F( v0 T
else
% b& h- B5 a0 d; _; m# H 9 C! r8 M2 N! ? {3 z4 A- n- W
admin_page_lever=data(0,0)7 `0 H" O8 r7 ~9 C& v3 C
' n6 Y) ]. V$ Z) K8 z! j# h. }# T( n
admin_cate_array=data(1,0)
! E/ t) V$ Y/ V! n
) ?# W8 ~) c$ ]4 t* k+ Xadmin_cate_lever=data(2,0)
; b! `; P+ e, s0 M; t7 T
9 T d& }; f0 Y7 Q; D3 K0 p: Kif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0* S: P5 G- B: x1 I) ^5 p
9 V9 v! a- |) k; i0 C. Y* Yif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
- N% v: q. S7 W) j+ D
9 l0 w8 j0 q" N7 ^# E4 |if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
$ \* Y _+ X7 b% B7 f- [# N6 y ( G( B2 q" R, ^
if clng(admingroupid)<>0 then
/ |6 s' F: H/ l; K6 c 0 t! w6 T6 p. g9 e
admin_lever_where=" and menuid in("&admin_page_lever&")"/ ^7 T+ v+ Y2 X5 }7 C% v( W; }
, Z& _: R* V( a; b# Jend if
8 k4 ?- z$ C7 c' Z9 Y; i) I
' b, x9 Q* f/ s$ l% g) ?- l1 Q- jend if
7 @. @6 k. R8 p! d2 ^- p. z
1 s* |5 }. n2 ?5 Y( H/ Yend if; q: L3 y) B9 Z
* o- z3 h6 A9 X9 g- S3 S
end sub* F5 o, \8 N" q3 l
漏洞证明:. b5 r, m4 M: M9 I
看看操作COOKIE的函数1 j- v+ `. h; Z9 \. J3 h0 w+ U' Z
2 \3 f! G0 Q: @3 K, {- p6 ?) vpublic function loadcookie(t0)' e. s& d5 }/ H
2 [" L0 E$ s8 a4 \loadcookie=request.cookies(prefix&t0)
3 C$ B% E7 a$ g$ g8 a) X ( n$ M* d3 u, P5 F. g( P- Z
end function) b( C# Q& A6 Z- C: Z
. S, {/ T* H5 f2 b& |public sub setcookie(byval t0,byval t1)
. s" g3 V/ W) p* l z- d ; Q( I6 `2 I% R' d
response.cookies(prefix&t0)=t1
, Z0 U$ `' Y) x% ]" y# t: _ 5 B9 D# X8 x: Q2 s
end sub) G6 W& ]2 i0 x" ~
" _- I3 u7 t2 C. O1 y kprefix
/ j/ p# h+ g* s; S+ S- {# Z : Z4 o, ]" o; B+ `. @. X
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
) p4 T, a: K0 t0 b
1 s) z. B# q& cdim prefix
# R% f' t* m9 Z, {7 I 2 L' z7 G3 H9 _3 m
prefix="1Jb8Ob"
5 o0 |0 Y8 T& ?' z. j/ W
2 p; u5 \' w0 k, [4 n! a7 K& b'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 8 v ?/ y% P( [; l, z: G8 B
" }) l/ ]5 v7 D# s2 h$ Qsub out
# P& W/ D; v- s 7 e/ X2 D; G* U: `
sdcms.setsession "adminid",""- Y S) `7 m; n% A& e
1 K" x! W" j1 H P. Esdcms.setsession "adminname",""& H8 e3 }( J5 N! k
7 {, D6 i, O/ [7 N
sdcms.setsession "admingroupid",""2 Z* I% h* D7 v" W( P( A8 ?$ b
* ~) F. S9 y! F
sdcms.setcookie "adminid",""* V6 d& [1 k3 J* g* U9 z! ?
7 f7 X$ M& ^9 ^, r7 y' A
sdcms.setcookie "loginkey",""' {/ j/ R# @/ T- @5 |
8 n( o7 J7 ]; A% g
sdcms.setcookie "islogin",""2 z5 u; g+ R* L3 J8 [' l( R' O
5 P6 g, T! S2 `/ G
sdcms.go "login.asp") ]! L, z9 I$ _$ ]& N% S2 G
) n" z K1 a8 l6 hend sub- f6 l k, w- C! l! ~
K* y: \7 w! s* H( ]$ p
! Y) [7 i3 C. x2 C' `/ |3 q利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
, j3 Y* m9 h0 H% b9 u修复方案:
* c0 N: k( c! X% z修改函数!
: Z7 b5 n# \9 K! t3 E |